Apparatus and method for detection of cyber tampering, physical tampering, and changes in performance of electronic devices

ABSTRACT

An analog tamper-detection apparatus (ATAMP) for onboard analysis of a target device includes a plurality of antennas, each antenna of the plurality of antennas disposed within the target device and being electrically isolated from components of the target device. The ATAMP device further includes radio frequency (RF) front-end (RFFE) transmitter circuitry coupled to the plurality of antennas, the RFFE transmitter circuitry configured to illuminate the target device with a plurality of electromagnetic signals emitted via the plurality of antennas, to generate a plurality of mixed RF signals. The ATAMP device further includes RFFE receiver circuitry configured to receive emissions from the target device based on the mixed RF signals, and processing circuitry configured to perform subsequent analysis and evaluation of the target device based on the received emissions. The processing circuitry further generates a notification of the subsequent analysis and evaluation.

This application claims the benefit of priority to U.S. patentapplication Ser. No. 16/406,590, filed May 8, 2019, which isincorporated herein by reference in its entirety.

TECHNICAL FIELD

Aspects disclosed herein pertain to using emissions from a system todetermine its operation, behavior, or state. Some aspects pertain to theapparatus and methods for detection of cyber tampering, physicaltampering, and changes in the performance of electronic devices.

BACKGROUND

Over at least the past thirty-five years there has been a continuinginterest in the ability to detect tampering with computing systems. Anumber of methods have been explored, including receiving inadvertentradio emissions, visible light examination, magnetic sensing,temperature sensing, multispectral analysis, acoustic sensing, andmechanical sensing. All of the previous methods have been limited in acombination of precision, range, and general applicability.

Computing device security is typically maintained using software todetect cyber intrusions. Many devices do not have the resources (memory,computational capability, etc.) to utilize such software and cannotdetect malicious codes or prevent its activation. Larger computationalsystems do not have diagnostics to determine if changes to theirelectronic designs and functions have been altered during production orafter purchase. Such systems are unequipped to detect operationalchanges from standard operation conditions when the device is used.While many devices have simple anti-intrusion detection systems,anti-tamper systems do not provide instantaneous and real-time alerts.Most small and many large computational and electronic devices do nothave sensors to identify changes to performance that indicate futuredevice failure or sub-standard performance. Known methods for observingtarget device characteristics and behavior during operation require somecombination of software and/or hardware resident on the target device,knowledge of target device communication protocols and modalities,and/or close physical access to the target device. Current and pasttechniques for detecting device tampering thus require substantial apriori knowledge, are potentially invasive to target device operation,and are susceptible to erroneous or even malicious activities on thetarget device.

BRIEF DESCRIPTION OF THE FIGURES

In the figures, which are not necessarily drawn to scale, like numeralsmay describe similar components in different views. Like numerals havingdifferent letter suffixes may represent different instances of similarcomponents. The figures illustrate generally, by way of example, but notby way of limitation, various embodiments discussed in the presentdocument.

FIG. 1 shows an example of an analog tamper-detection (ATAMP) systemwithin a target device in accordance with some embodiments.

FIG. 2 shows another example of an ATAMP system within a target devicein accordance with some embodiments.

FIG. 3 illustrates a flow chart of an inter-modulation detectiontechnique, which can be used in connection with a tamper-detectionsystem in accordance with some embodiments.

FIG. 4A illustrates a flow chart of a forced non-linear emissions (FNLE)detection technique, which can be used in connection with atamper-detection system in accordance with some embodiments.

FIG. 4B illustrates an example of FNLE spectrogram for analysis inaccordance with some embodiments.

FIG. 5A illustrates a flow chart of a passive detection technique, whichcan be used in connection with a tamper-detection system in accordancewith some embodiments.

FIG. 5B illustrates an example of passive spectrogram for analysis inaccordance with some embodiments.

FIG. 6 illustrates a flow chart of an example method for on-boardanalysis of a target device in accordance with some embodiments.

FIG. 7 illustrates a block diagram of a tamper-detection device inaccordance with some embodiments.

DETAILED DESCRIPTION

The following description and the drawings sufficiently illustrateaspects to enable those skilled in the art to practice them. Otheraspects may incorporate structural, logical, electrical, process, andother changes. Portions and features of some aspects may be included inor substituted for, those of other aspects. Aspects set forth in theclaims encompass all available equivalents of those claims. The presentinventors have recognized, among other things, that particularimprovements of the apparatus and methods used for analyzing remotelylocated target devices, such as computing systems, are possible andwould enable specific distinct advantages.

A radio frequency (RF) sensor system (also referred to as ATAMP systemor ATAMP device) is disclosed and can be configured to use the analogdomain for detection of tampering with software, hardware, and deviceoperation of a target device. The RF sensor system also providesindications of changes in device functionality and device performance,allowing for indication of future device failure or sub-standardperformance. In some aspects, components of the ATAMP system (e.g., oneor more antennas, a radio frequency front end (RFFE) that includestransmitting and receiving circuitry, as well as processing circuitry)can be built into electronics of the target device or can be configuredas a stand-alone device for detecting tampering with a target device.

In some aspects, the ATAMP system is air-gapped from the electronicdevice it protects (also referred to herein as “the target device” or“the protected device”). The ATAMP system can include components thatare built on, near, or into one or more multi-layer circuit boards ofthe protected device. In this regard, the disclosed techniques can beused for providing security against cyber threats, electronicmodification, and tampering on devices which have no such protection andlack the onboard resources to provide them. Because the ATAMP system isair-gapped from the circuitry of the board, it is not susceptible tocyber-attack. As used herein, the term “air-gapped” indicates that onedevice is isolated from another via non-conductive means (i.e., meansthat are electrically non-conductive), including air or anothernon-conductive (e.g., dielectric) material.

In an example, an ATAMP apparatus for onboard analysis of a targetdevice includes a plurality of antennas, with each antenna of theplurality of antennas being disposed within the target device and beingelectrically isolated (e.g., air-gapped) from components of the targetdevice. The ATAMP device further includes a radio frequency (RF)front-end (RFFE) transmitter circuitry coupled to the plurality ofantennas. The RFFE transmitter circuitry is configured to illuminate thetarget device with a plurality of electromagnetic signals emitted viathe plurality of antennas, to generate a plurality of mixed RF signals.The ATAMP device further includes an RFFE receiver circuitry configuredto receive emissions from the target device based on the mixed RFsignals, and processing circuitry. The processing circuitry isconfigured to perform subsequent analysis and evaluation of the targetdevice based on the received emissions, and generate a notification ofthe subsequent analysis and evaluation.

In an example, a method for onboard analysis of a target device includesilluminating the target device with a plurality of electromagneticsignals emitted via a plurality of antennas (e.g., at least twoantennas) that are air-gapped with the target device to generate aplurality of mixed radio frequency (RF) signals. Generating theplurality of mixed RF signals results in a resonant RF signal radiatingfrom the target device. The method further includes receiving theresonant RF signal using receiver circuitry for subsequent analysis andevaluation of the target device. A notification is generated based onthe analysis and evaluation of the target device.

In an example, a non-transitory computer-readable storage medium thatstores instructions for execution by one or more processors of an ATAMPdevice, the instructions to configure the one or more processors tocause the ATAMP device to illuminate a target device with a plurality ofelectromagnetic signals emitted via a corresponding plurality ofantennas that are air-gapped with the target device to generate aplurality of mixed radio frequency (RF) signals. Generating theplurality of mixed RF signals resulting in a resonant RF signalradiating from the target device. The resonant RF signal is receivedusing receiver circuitry for subsequent analysis and evaluation of thetarget device. A reference evaluation of the target device is comparedwith the received resonant RF signal to detect physical alteration ortampering of the target device. A notification is generated based on thedetected physical alteration or tampering of the target device.

FIG. 1 shows an example of an ATAMP system (or device) 102 within atarget device 100 in accordance with some embodiments. Referring to FIG.1, the ATAMP device 102 comprises suitable circuitry, logic, interfaces,and/or code and is configured to perform tamper detectionfunctionalities disclosed herein. The ATAMP device 102 elements includeat least one tunable RF antenna 108, an RFFE 104, and a processor (e.g.,CPU) 106. The at least one tunable RF antenna 108 is not connected tothe electronics/components (e.g., 112) of the target device 100. Forexample, the at least one tunable RF antenna 108 can be air-gapped sothat it is electrically isolated from components of the target device100. The RFFE 104 and the CPU 106 are also air-gapped from components112 of the target device 100. The CPU 106 is configured to control theantenna frequency of the at least one antenna 108, configure ATAMPlow-power RF transmissions (e.g., using the transmit circuitry withinthe RFFE 104), analyze device emissions, and provide a warning orelectronic protection to/of the protected device 100.

In some aspects, the ATAMP device 102 can utilize a common power sourceas the target device 100 or a power source of the ATAMP device 102 canbe based on a magnetic or another type of wireless charging connectionwith a power source of the target device 100.

In some aspects, the at least one antenna 108 can be a loop antenna oranother type of antenna. Even though FIG. 1 illustrates a single loopantenna as the at least one antenna 108, the disclosure is not limitedin this regard and more than one antennas can be used, as illustratedfor example in connection with FIG. 2.

FIG. 2 shows another example of a tamper-detection system within atarget device in accordance with some embodiments. Referring to FIG. 2,the ATAMP device 204 can be similar to the ATAMP device 102 of FIG. 1,except that FIG. 2 illustrates the ATAMP device 204 using a plurality ofantennas 206, . . . , 208. The antennas 206, . . . , 208 can includeloop antennas or another type of antennas that are electrically isolated(e.g., air-gapped) with components of the target device 100. The ATAMPdevice 204 includes an RFFE and a CPU (not illustrated in FIG. 2),similar to the RFFE and the CPU of ATAMP device 102. The RFFE of theATAMP device 204 can include a separate transmit circuitry for each ofthe antennas 206, . . . , 208, with each antenna being separatelyconfigurable for transmitting RF signals in a predetermined frequency.

All devices emit RF energy at different frequencies. The ATAMP deviceprovides onboard monitoring of these emissions and identifies changes tothese emissions that can signal cyber tampering (e.g., softwaretampering), electronic tampering, physical tampering, or changes todevice operational condition. Highlights of the tamper-detectionfunctionalities that can be performed by the ATAMP device 102/204 are asfollows:

(a) Inter-modulation detection technique: by providing RF transmissionsfrom the ATAMP antenna(s) (e.g., one or more of antennas 206, . . . ,208), resonant RF signal(s) or mixing signal products are created in thedevice that will change if the target device is physically altered. Bymonitoring the resonant signal(s) or mixing signal products (e.g., bythe CPU within the ATAMP device), physical changes to the target devicecan be detected. An example implementation can use a referenceevaluation (or a “gold image”) at a time when the ATAMP device isinstalled with the target device (e.g., within the target device) andthe ATAMP device is trained at the factory. In this regard, the “goldimage” can be generated (which can include characteristics of theinitial resonant signal generated at manufacturing/installation time atthe factory) and stored as a read-only image of a known good state todetect deviations in subsequent device uses;

(b) Forced non-linear emissions (FNLE) detection techniques: FNLE aregenerated by the ATAMP emission interactions with signals in theprotected device. The FNLE can be monitored by the ATAMP device todetermine if changes to the electronic design of the device are made.Changes in the RF FNLE emissions alert the ATAMP device to changes inthe protected device electronics:

(c) Passive detection techniques: unintended RF emissions (UE) of theprotected device are monitored by the ATAMP device. Analysis of the UE(and the FNLE) allows the ATAMP device to detect unwanted software ormalware that are running on the protected device;

(d) The air-gapped design of the ATAMP device prohibits externalcyber-attacks on the ATAMP protection system and circuits, making it areliable cyber protection system that cannot be affected by externalcyber threats;

(e) Changes in the pattern of the UE and the FNLE can be used to detectchanges in device performance and signal conditions that might lead toor indicate future device failure or sub-standard performance; and

(f) ATAMP device reporting can be accomplished (e.g., via the CPU 106)by a variety of means, such as on-board visual or audio notifications,data transmission via RF or trigger fault circuitry, as well as otherwired or wireless means of communicating a notification or alert as aresult of the tamper-detection techniques disclosed herein.

In this regard, the ATAMP device (e.g., 102 or 204) can perform thefollowing tamper-detection functions: detection of component andsub-component level tampering of electronic circuitry in near-real-time;air-gapped security implementation separated from the protected device;detection of malware/cyber-attacks in low-resource computationaldevices; and detection of device sub-standard performance and predictionof device failure. Example tamper detection techniques that can beperformed by the ATAMP device are further described in connection withFIG. 3-FIG. 6.

FIG. 3 illustrates a flow chart of an inter-modulation detectiontechnique 300, which can be used in connection with a tamper-detectionsystem in accordance with some embodiments. The inter-modulationdetection technique 300 can be used for detecting physical alteration ortampering of the target device.

Where physical security of electronic devices is required, there can bemultiple passive and active anti-tamper devices that can be used tonotify users that the device has been physically disturbed. Smallinexpensive devices typically utilize adhesive films with hologramsimprinted on them. Tampering is detected when a user notices a brokenseal on the device. More expensive devices, or for devices wherereal-time tampering notification is required, often utilize RF standingwave techniques to detect intrusion. For example, prior techniques canleverage carefully designed and configured transmitters to create thestanding waves used for detection. The amplitude of the standing wavechanges when the device is tampered with and a notification is providedor recorded by the intrusion detection system. In some aspects, theATAMP device is configured to monitor both self-generated and forcedemissions within electronic devices and to note changes in the standingwave characteristics of those. This technique can be used for providingreal-time anti-tampering notification for different types of electronicsystems which employ it. In this regard, techniques disclosed hereinutilize unintended emissions from the device (opposed to the configuredemissions) or analysis signal(s) to detect tampering.

The intermodulation detection technique refers to the use of two or moreillumination signals to produce passive or active nonlinear mixingproducts for analysis. These mixing products can be leveraged to detecthardware changes or alterations on the target device. The passivenonlinear mixing products provide an additional advantage in that themonitored device does not need to be powered on so that the nonlinearmixing products (e.g., signals) can be generated.

Referring to FIG. 3, the inter-modulation detection technique 300 canstart at operation 302, and at operation 304 (e.g., at time ofmanufacturing the ATAMP device and the target device), two transmittersand one receiver can be configured within the ATAMP device 204. Forexample, two transmitters within the RFFE of the ATAMP device can beconfigured for transmitting RF signals using two antennas of theplurality of antennas 206, . . . , 208. At operation 306, the targetdevice is illuminated with signals generated by both transmitters togenerate mixing products (or signals). At operation 308, re-emissions bythe target device are received by a receiver circuit within the RFFE andanalyzed by the CPU to generate the “gold image” (e.g., signalcharacteristics associated with the re-emissions by the target device).At operation 310, the generated “gold image” can be stored by the ATAMPdevice for subsequent monitoring and tamper detection. At operation 312,the two transmitters and one receiver can be configured to monitor thetarget device continuously by, e.g., periodically illuminating thetarget device and receiving re-emissions from the target device based onthe illumination. In some aspects, the target device can be powered offwhile the monitoring under this technique takes place. At operation 314,the re-emissions are received by the receiver circuit within the ATAMPdevice and analyzed by the CPU. More specifically, at operation 316, theCPU can compare the detected re-emissions (e.g., a resonant signalgenerated by components of the target device when illuminated with themixing products from the RF signals emitted by the antennas) with the“gold image”. Based on the comparison, at operation 318, an alert can begenerated, or processing can resume at operation 314 for continuousanalysis of signal re-emissions.

To conduct the device illumination, the first transmitter within theATAMP device is configured to transmit signals at a starting frequency,and the second transmitter is configured to transmit signals at anoffset of the first transmitter's frequency. For example, if the firsttransmitter is configured for 100 MHz, the second transmitter isconfigured for a set offset of 5 MHz from the first transmitterfrequency, or 105 MHz in this example. The receiver within the ATAMPdevice can be configured to monitor for mixing products at an offsetfrom the two transmitters. For example, the receiver can be configuredto observe at the frequency band of 110 MHz to 130 MHz in this example.To analyze the device, the transmitters are frequency swept incoordination while the receiver is also frequency swept in coordinationto observe mixing products. An example next frequency step would be thefirst transmitter to transmit signals at 105 MHz, the second transmitterto transmit signals at 110 MHz, and the receiver to monitor thefrequency band of 115 MHz to 135 MHz. The frequency bands mentionedherein are simply for illustration and other preconfigured transmissionfrequencies and monitoring frequency ranges can be used as well.Depending on the target device, the transmitters and receivers can beconfigured for different sweep parameters.

In some aspects, the CPU can perform analysis of the mixing productsproduced from the transmission of the signals by the two transmittersusing one or more of the following techniques for performing theanalysis: (1) frequency distribution metrics, (2) spectral powerdistribution metrics, (3) total spectral density, (4) patterns derivedfrom changes in frequency, amplitude, or phase, (5) existence ofnon-linear mixing spurs or mixing products, (6) demodulated signals, (7)statistical classification techniques of spectral features, and (8)additionally derived patterns utilizing analysis of n-levels ofn-features within the spectrum. Other metrics or techniques can be usedas well.

FIG. 4A illustrates a flow chart of a forced non-linear emissions (FNLE)detection technique 400, which can be used in connection with atamper-detection system in accordance with some embodiments. The FNLEdetection technique can be used to detect cyber tampering, malware, andelectronic tampering.

Cyber Tampering and Malware. The ATAMP device provides protectionagainst cyber intrusions by monitoring of both forced and unintendedemissions of the protected device. During standard operations, thedevice produces unintended emissions (UE) at very low power levels.Forced non-linear emissions (FNLE) are created by illuminating thecircuits with an external RF signal (generated by the ATAMP transmitcircuitry). Creation and detection of UE and FNLE are facilitated by theproximity of the ATAMP antenna to the device—it is part of the devicestructure, and by the housings of the protected device which can providea reverberation chamber and improve the amplitude of the signals. TheATAMP device monitors the UE and FNLE and catalogs them fornear-real-time analysis. Changes from the patterns of emissions understandard operating conditions signal the advent of malware operating onthe protected device. The ATAMP device can provide a warning or act tohalt operations affected by the malware.

In connection with FNLE, additional non-linear mixing products can beproduced for complex devices, particularly CMOS circuits. These include(1) low frequency, unintended emissions, extracted via FNLE, (2)cross-modulation products (CMPs), caused by coupling with the switching(clock) circuitry, (3) additional non-linear mixing spurs cause byinteracting with active onboard components (also labeled as CMPs), and(4) more additional-linear mixing signal products caused by parasiticimpedance changes by the FNLE signal. The culmination of these signalscan be used to remotely analysis a target device from a distance.

To analyze a device via the FNLE, multiple analysis techniques can beutilized. Such techniques involve more processing than simple spectrumsensing and can include (1) frequency distribution metrics, (2) spectralpower distribution metrics, (3) total spectral density, (4) patternsderived from changes in frequency, amplitude, or phase, (5) existence ofnon-linear mixing spurs or mixing products, (6) demodulated signals, (7)statistical classification techniques of spectral features, (8)additionally derived patterns utilizing analysis of n-levels ofn-features within the spectrum, or other techniques.

Electronic Tampering. The circuits of electronic devices can act asantennas when illuminated by external RF energy. The gain of thesecircuit antennas is affected by their length and impedance.Additionally, non-linear devices like transistors and diodes can act asmixers to combine signals carried by the circuit and RF illuminationenergy to create FNLE. A device with a standard set of electronics understandard operating conditions will produce a set of standard patterns ofFNLE. If new electronic circuits are added or switched-in to achievealtered device performance, the pattern of FNLE will change. Theamplitude of some FNLE will drop or rise and new FNLE may be detected.The ATAMP device can provide a near-real-time warning of changes to theelectronics or their electronic functions through the creation andmonitoring of FNLE in the protected device.

Referring to FIG. 4A, the FNLE detection technique 400 can start atoperation 402, and at operation 404 (e.g., at time of manufacturing theATAMP device and the target device), one transmitters and one receivercan be configured within the ATAMP device 204. For example, onetransmitter within the RFFE of the ATAMP device can be configured fortransmitting RF signals using one antenna of the plurality of antennas206, . . . , 208. At operation 406, the target device (e.g., when it ispowered on) is illuminated with signals generated by the singletransmitter to generate mixing products (or signals). At operation 408,re-emissions by the target device are received by a receiver circuitwithin the RFFE and analyzed by the CPU to generate the “gold image”(e.g., signal characteristics associated with the re-emissions by thetarget device). At operation 410, the generated “gold image” can bestored by the ATAMP device for subsequent monitoring and tamperdetection. At operation 412, the single transmitter and the singlereceiver can be configured to monitor the target device continuously by,e.g., periodically illuminating the target device and receivingre-emissions from the target device based on the illumination. In someaspects, the target device can remain powered on while the monitoringunder this technique takes place. At operation 414, the re-emissions arereceived by the receiver within the ATAMP device and analyzed by theCPU. More specifically, at operation 416, the CPU can compare thedetected re-emissions with the “gold image”. Based on the comparison, atoperation 418, an alert can be generated, or processing can resume atoperation 414 for continuous analysis of signal re-emissions.

In this regard, the FNLE detection technique requires only onetransmitter and the device to be powered on. This technique isadvantageous in detecting changes in software or electronic changes. Theillumination signal is configured to be frequency swept and the receiveris configured to be swept in coordination. The receiver can beconfigured to observe a band at some offset from the illuminationsignal. An example is illustrated in FIG. 4B.

FIG. 4B illustrates an example of FNLE spectrogram 450 for analysis inaccordance with some embodiments. Referring to FIG. 4B, spectrogram 450illustrates that the target device is illuminated at 710 MHz, with areceiver of the ATAMP device configured to observe 708.5 MHz to 713.5MHz. This produces mixing products seen throughout the re-emissionspectrum. The mixing products can be analyzed in a variety of ways, asdiscussed hereinabove.

FIG. 5A illustrates a flow chart of a passive detection technique 500,which can be used in connection with a tamper-detection system inaccordance with some embodiments.

Techniques disclosed herein can be used to monitor device performanceand operating conditions. For example, the ATAMP device monitors theFNLE emissions as well as unintended emissions of a protected deviceover time. These emissions may change as the device ages andparticularly could change if portions of the electronics begin to fail.By monitoring the device emissions, the ATAMP device can detect bothsub-standard performances and notify the user of potential conditionsthat might lead to device failure. The ATAMP device can be configured todistinguish between tampering and device degradation as these are twodistinct states.

Referring to FIG. 5A, the passive detection technique 500 can start atoperation 502, and at operation 504 (e.g., at time of manufacturing theATAMP device and the target device), one receiver can be configuredwithin the ATAMP device 204 for receiving emissions by the targetdevice. At operation 506, the target device (e.g., when it is poweredon) generates emissions (e.g., unintended emissions) and the CPUanalyzes the analog emissions received by the receiver to generate the“gold image” of the unintended emissions. At operation 508, thegenerated “gold image” can be stored by the ATAMP device for subsequentmonitoring and tamper detection. At operation 510, the receiver can beconfigured to monitor the target device continuously by, e.g.,periodically monitoring and receiving unintended emissions. At operation512, the emissions are received by the receiver and analyzed by the CPU.More specifically, at operation 514, the CPU can compare the detectedemissions with the “gold image”. Based on the comparison, at operation516, an alert can be generated, or processing can resume at operation512 for continuous analysis of signal emissions.

Similar to the above techniques, the passive detection techniquerequires the use of only the ATAMP device receiver and a powered-ontarget device. The receiver is set to observe a frequency band foranalog signals (e.g., unintended emissions) generated by the monitored(target) device. An example is illustrated in FIG. 5B. Morespecifically, FIG. 5B illustrates an example of passive spectrogram 550for analysis in accordance with some embodiments. In passive spectrogram550, a receiver in the ATAMP device monitors a target device foremissions in the frequency range of 0-10 MHz. The device inherentlyproduces analog emissions, as seen in the spectrogram 550, whichemissions can be analyzed in a variety of ways, as discussedhereinabove.

FIG. 6 illustrates a flow chart of an example method 600 for onboardanalysis of a target device in accordance with some embodiments.Referring to FIG. 6, method 600 can be performed by the ATAMP device 102of FIG. 1 or 204 of FIG. 2. At operation 602, the target device isilluminated with a plurality of electromagnetic signals emitted via aplurality of antennas that are air-gapped with the target device togenerate a plurality of mixed radio frequency (RF) signals, generatingthe plurality of mixed RF signals resulting in a resonant RF signalradiating from the target device. More specifically, two transmitterswithin the RFFE circuitry of the ATAMP device 204 can use two of theantennas 206, . . . , 208 to transmit RF signals and illuminate targetdevice 100 resulting in a resonant RF signal radiating from the targetdevice. At operation 604, the resonant RF signal is received usingreceiver circuitry for subsequent analysis and evaluation of the targetdevice. For example, the resonant RF signal is received by receivercircuitry within the RFFE of the ATAMP device 204. The CPU of the ATAMPdevice 204 can compare a previously stored “gold image” of a resonant RFsignal generated at manufacturing time with the received resonant RFsignal. In some aspects, the resonant RF signal is generated while thetarget device 100 is powered off. At operation 606, a notification(e.g., an alert message) is generated based on the analysis andevaluation of the target device (e.g., when the “gold image” does notmatch the received resonant RF signal).

In some aspects, the ATAMP device can be configured as an externaldevice (e.g., device 700 in FIG. 7) to allow periodic interrogation of avariety of electronic devices. In some aspects, the ATAMP device can beconfigured in a multi-tone illuminator mode that would provide fordetection of electronic device modifications and protection fromphysical tampering.

FIG. 7 illustrates a block diagram of a tamper-detection device inaccordance with some embodiments. In alternative aspects, thetamper-detection device 700 may operate as a standalone device or may beconnected (e.g., networked) to other communication devices.

Circuitry (e.g., processing circuitry) is a collection of circuitsimplemented intangible entities of the device 700 that include hardware(e.g., simple circuits, gates, logic, etc.). Circuitry membership may beflexible over time. Circuitries include members that may, alone or incombination, perform specified operations when operating. In an example,the hardware of the circuitry may be immutably designed to carry out aspecific operation (e.g., hardwired). In an example, the hardware of thecircuitry may include variably connected physical components (e.g.,execution units, transistors, simple circuits, etc.) including amachine-readable medium physically modified (e.g., magnetically,electrically, moveable placement of invariant massed particles, etc.) toencode instructions of the specific operation.

In connecting the physical components, the underlying electricalproperties of a hardware constituent are changed, for example, from aninsulator to a conductor or vice versa. The instructions enable embeddedhardware (e.g., the execution units or a loading mechanism) to createmembers of the circuitry in hardware via the variable connections tocarry out portions of the specific operation when in operation.Accordingly, in an example, the machine-readable medium elements arepart of the circuitry or are communicatively coupled to the othercomponents of the circuitry when the device is operating. In an example,any of the physical components may be used in more than one member ofmore than one circuitry. For example, under operation, execution unitsmay be used in a first circuit of a first circuitry at one point in timeand reused by a second circuit in the first circuitry, or by a thirdcircuit in a second circuitry at a different time. Additional examplesof these components with respect to the device 700 follow.

In some aspects, the device 700 may operate as a standalonetamper-detection device or may be connected (e.g., networked) to otherdevices. In a networked deployment, the communication device 700 mayoperate in the capacity of a server communication device, a clientcommunication device, or both in server-client network environments toperform one or more of the tamper detection functionalities discussedherein. In an example, the communication device 700 may act as a peercommunication device in peer-to-peer (P2P) (or other distributed)network environment. The communication device 700 may be a UE, eNB, PC,a tablet PC, a STB, a PDA, a mobile telephone, a smartphone, a webappliance, a network router, switch or bridge, or any communicationdevice capable of executing instructions (sequential or otherwise) thatspecify actions to be taken by that communication device. Further, whileonly a single communication device is illustrated, the term“communication device” shall also be taken to include any collection ofcommunication devices that individually or jointly execute a set (ormultiple sets) of instructions to perform any one or more of themethodologies discussed herein, such as cloud computing, software as aservice (SaaS), and other computer cluster configurations.

Examples, as described herein, may include, or may operate on, logic ora number of components, modules, or mechanisms. Modules are tangibleentities (e.g., hardware) capable of performing specified operations andmay be configured or arranged in a certain manner. In an example,circuits may be arranged (e.g., internally or with respect to externalentities such as other circuits) in a specified manner as a module. Inan example, the whole or part of one or more computer systems (e.g., astandalone, client or server computer system) or one or more hardwareprocessors may be configured by firmware or software (e.g.,instructions, an application portion, or an application) as a modulethat operates to perform specified operations. In an example, thesoftware may reside on a communication device-readable medium. In anexample, the software, when executed by the underlying hardware of themodule, causes the hardware to perform the specified operations.

Accordingly, the term “module” is understood to encompass a tangibleentity, be that an entity that is physically constructed, specificallyconfigured (e.g., hardwired), or temporarily (e.g., transitorily)configured (e.g., programmed) to operate in a specified manner or toperform part or all of any operation described herein. Consideringexamples in which modules are temporarily configured, each of themodules need not be instantiated at any one moment in time. For example,where the modules comprise a general-purpose hardware processorconfigured using software, the general-purpose hardware processor may beconfigured as respective different modules at different times. Thesoftware may accordingly configure a hardware processor, for example, toconstitute a particular module at one instance of time and to constitutea different module at a different instance of time.

Communication device 700 may include a hardware processor 702 (e.g., acentral processing unit (CPU), a graphics processing unit (GPU), ahardware processor core, or any combination thereof), a main memory 704,a static memory 706, and mass storage 707 (e.g., hard drive, tape drive,flash storage, or other block or storage devices), some or all of whichmay communicate with each other via an interlink (e.g., bus) 708.

The communication device 700 may further include a display device 710,an alphanumeric input device 712 (e.g., a keyboard), and a userinterface (UI) navigation device 714 (e.g., a mouse). In an example, thedisplay device 710, input device 712 and UI navigation device 714 may bea touchscreen display. The communication device 700 may additionallyinclude a signal generation device 718 (e.g., a speaker), a networkinterface device 720, and one or more sensors 721, such as a globalpositioning system (GPS) sensor, compass, accelerometer, or anothersensor. The communication device 700 may include an output controller728, such as a serial (e.g., universal serial bus (USB), parallel, orother wired or wireless (e.g., infrared (IR), near field communication(NFC), etc.) connection to communicate or control one or more peripheraldevices (e.g., a printer, card reader, etc.).

The storage device 707 may include a communication device-readablemedium 722, on which is stored one or more sets of data structures orinstructions 724 (e.g., software) embodying or utilized by any one ormore of the techniques or functions described herein. In some aspects,registers of the processor 702, the main memory 704, the static memory706, and/or the mass storage 707 may be, or include (completely or atleast partially), the device-readable medium 722, on which is stored theone or more sets of data structures or instructions 724, embodying orutilized by any one or more of the techniques or functions describedherein. In an example, one or any combination of the hardware processor702, the main memory 704, the static memory 706, or the mass storage 716may constitute the device-readable medium 722.

As used herein, the term “device-readable medium” is interchangeablewith “computer-readable medium” or “machine-readable medium”. While thecommunication device-readable medium 722 is illustrated as a singlemedium, the term “communication device-readable medium” may include asingle medium or multiple media (e.g., a centralized or distributeddatabase, and/or associated caches and servers) configured to store theone or more instructions 724.

The term “communication device-readable medium” is inclusive of theterms “machine-readable medium” or “computer-readable medium”, and mayinclude any medium that is capable of storing, encoding, or carryinginstructions (e.g., instructions 724) for execution by the communicationdevice 700 and that cause the communication device 700 to perform anyone or more of the techniques of the present disclosure, or that iscapable of storing, encoding or carrying data structures used by orassociated with such instructions. Non-limiting communicationdevice-readable medium examples may include solid-state memories andoptical and magnetic media. Specific examples of communicationdevice-readable media may include: non-volatile memory, such assemiconductor memory devices (e.g., Electrically Programmable Read-OnlyMemory (EPROM), Electrically Erasable Programmable Read-Only Memory(EEPROM)) and flash memory devices; magnetic disks, such as internalhard disks and removable disks; magneto-optical disks; Random AccessMemory (RAM); and CD-ROM and DVD-ROM disks. In some examples,communication device-readable media may include non-transitorycommunication device-readable media. In some examples, communicationdevice-readable media may include communication device-readable mediathat is not a transitory propagating signal.

The instructions 724 may further be transmitted or received over acommunications network 726 using a transmission medium (e.g.,transceiver circuitry 740) via the network interface device 720utilizing any one of a number of transfer protocols. In an example, thenetwork interface device 720 may include one or more physical jacks(e.g., Ethernet, coaxial, or phone jacks) or one or more antennas toconnect to the communications network 726. In an example, the networkinterface device 720 may include a plurality of antennas 742 coupled tothe transceiver circuitry 740 to wirelessly communicate using at leastone of single-input-multiple-output (SIMO), MIMO, ormultiple-input-single-output (MISO) techniques. In some examples, thenetwork interface device 720 may wirelessly communicate using MultipleUser MIMO techniques. Additionally, the network interface device 720 canperform temper detection functionalities discussed herein using one ormore transmitters and a receiver within the transceiver circuitry 740 aswell as one or more of the plurality of antennas 742.

The term “transmission medium” shall be taken to include any intangiblemedium that is capable of storing, encoding or carrying instructions forexecution by the communication device 700, and includes digital oranalog communications signals or another intangible medium to facilitatecommunication of such software. In this regard, a transmission medium inthe context of this disclosure is a device-readable medium.

A communication device-readable medium may be provided by a storagedevice or other apparatus which is capable of hosting data in anon-transitory format. In an example, information stored or otherwiseprovided on a communication device-readable medium may be representativeof instructions, such as instructions themselves or a format from whichthe instructions may be derived. This format from which the instructionsmay be derived may include source code, encoded instructions (e.g., incompressed or encrypted form), packaged instructions (e.g., split intomultiple packages), or the like. The information representative of theinstructions in the communication device-readable medium may beprocessed by processing circuitry into the instructions to implement anyof the operations discussed herein. For example, deriving theinstructions from the information (e.g., processing by the processingcircuitry) may include: compiling (e.g., from source code, object code,etc.), interpreting, loading, organizing (e.g., dynamically orstatically linking), encoding, decoding, encrypting, unencrypting,packaging, unpackaging, or otherwise manipulating the information intothe instructions.

In an example, the derivation of the instructions may include assembly,compilation, or interpretation of the information (e.g., by theprocessing circuitry) to create the instructions from some intermediateor preprocessed format provided by the machine-readable medium. Theinformation, when provided in multiple parts, may be combined, unpacked,and modified to create the instructions. For example, the informationmay be in multiple compressed source code packages (or object code, orbinary executable code, etc.) on one or several remote servers. Thesource code packages may be encrypted when in transit over a network anddecrypted, uncompressed, assembled (e.g., linked) if necessary, andcompiled or interpreted (e.g., into a library, stand-alone executable,etc.) at a local machine, and executed by the local machine.

Although an aspect has been described with reference to specificexemplary aspects, it will be evident that various modifications andchanges may be made to these aspects without departing from the broaderscope of the present disclosure. Accordingly, the specification anddrawings are to be regarded in an illustrative rather than a restrictivesense. This Detailed Description, therefore, is not to be taken in alimiting sense, and the scope of various aspects is defined only by theappended claims, along with the full range of equivalents to which suchclaims are entitled.

The above-detailed description includes references to the accompanyingdrawings, which form a part of the detailed description. The drawingsshow, by way of illustration, specific embodiments in which someembodiments can be practiced. These embodiments are also referred toherein as “examples.” Such examples can include elements in addition tothose shown or described. However, the present inventors alsocontemplate examples in which only those elements shown or described areprovided. Moreover, the present inventors also contemplate examplesusing any combination or permutation of those elements shown ordescribed (or one or more aspects thereof), either with respect to aparticular example (or one or more aspects thereof), or with respect toother examples (or one or more aspects thereof) shown or describedherein.

In the event of inconsistent usages between this document and anydocuments so incorporated by reference, the usage in this documentcontrols.

In this document, the terms “a” or “an” are used, as is common in patentdocuments, to include one or more than one, independent of any otherinstances or usages of “at least one” or “one or more.” In thisdocument, the term “or” is used to refer to a nonexclusive or, such that“A or B” includes “A but not B,” “B but not A,” and “A and B,” unlessotherwise indicated. In this document, the terms “including” and “inwhich” are used as the plain-English equivalents of the respective terms“comprising” and “wherein.” Also, in the following claims, the terms“including” and “comprising” are open-ended, that is, a system, device,article, composition, formulation, or process that includes elements inaddition to those listed after such a term in a claim are still deemedto fall within the scope of that claim. Moreover, in the followingclaims, the terms “first,” “second,” and “third,” etc. are used merelyas labels, and are not intended to impose numerical requirements ontheir objects.

Geometric terms, such as “parallel”, “perpendicular”, “round”, or“square”, are not intended to require absolute mathematical precision,unless the context indicates otherwise. Instead, such geometric termsallow for variations due to manufacturing or equivalent functions. Forexample, if an element is described as “round” or “generally round,” acomponent that is not precisely circular (e.g., one that is slightlyoblong or is a many-sided polygon) is still encompassed by thisdescription.

Method examples described herein can be machine or computer-implementedat least in part. Some examples can include a computer-readable mediumor machine-readable medium encoded with instructions operable toconfigure an electronic device to perform methods as described in theabove examples. An implementation of such methods can include code, suchas microcode, assembly language code, a higher-level language code, orthe like. Such code can include computer readable instructions forperforming various methods. The code may form portions of computerprogram products. Further, in an example, the code can be tangiblystored on one or more volatile, non-transitory, or non-volatile tangiblecomputer-readable media, such as during execution or at other times.Examples of these tangible computer-readable media can include, but arenot limited to, hard disks, removable magnetic disks, removable opticaldisks (e.g., compact disks and digital video disks), magnetic cassettes,memory cards or sticks, random access memories (RAMs), read onlymemories (ROMs), and the like.

The above description is intended to be illustrative, and notrestrictive. For example, the above-described examples (or one or moreaspects thereof) may be used in combination with each other. Otherembodiments can be used, such as by one of ordinary skill in the artupon reviewing the above description. The Abstract is provided to complywith 37 C.F.R. § 1.72(b), to allow the reader to quickly ascertain thenature of the technical disclosure. It is submitted with theunderstanding that it will not be used to interpret or limit the scopeor meaning of the claims. Also, in the above Detailed Description,various features may be grouped together to streamline the disclosure.This should not be interpreted as intending that an unclaimed disclosedfeature is essential to any claim. Rather, the inventive subject mattermay lie in less than all features of a particular disclosed embodiment.Thus, the following claims are hereby incorporated into the DetailedDescription as examples or embodiments, with each claim standing on itsown as a separate embodiment, and it is contemplated that suchembodiments can be combined with each other in various combinations orpermutations. The scope of the embodiments should be determined withreference to the appended claims, along with the full scope ofequivalents to which such claims are entitled.

1. An apparatus comprising: radio frequency (RF) transceiver circuitry,the RF transceiver circuitry comprising at least one antennacommunicatively coupled to a receiver and a transmitter; and processingcircuitry coupled to the RF transceiver circuitry, the processingcircuitry to: cause interrogation of a target device with a firstplurality of electromagnetic signals emitted via the at least oneantenna at a first time instance, to generate a reference evaluation ofthe target device; cause interrogation of the target device with asecond plurality of electromagnetic signals emitted via the at least oneantenna at a second time instance, to generate a plurality of mixed RFsignals; detect emissions received from the target device via thereceiver, the emissions generated by the target device based on theplurality of mixed RF signals; perform a comparison of the referenceevaluation of the target device with the emissions received from thetarget device to detect physical alteration or tampering of the targetdevice; and generate a notification based on the comparison.
 2. Theapparatus of claim 1, wherein the processing circuitry is further to:perform a second comparison of a first signal characteristic associatedwith the received emissions and a second signal characteristicassociated with the second plurality of electromagnetic signalsinterrogating the target device.
 3. The apparatus of claim 2, whereinthe processing circuitry is further to: perform an evaluation of thetarget device based on the second comparison; and generate a secondnotification based on the evaluation.
 4. The apparatus of claim 2,wherein the at least one antenna is air-gapped from the target device,and wherein the first signal characteristic and the second signalcharacteristic include at least one of: a signal frequency; a frequencydistribution metric; a spectral power distribution metric; a spectraldensity; a signal pattern derived from changes in frequency, amplitude,or phase; and existence of non-linear mixing spurs or mixing products.5. The apparatus of claim 1, wherein the at least one antenna comprisesa plurality of antennas, wherein the transmitter comprises a pluralityof transmitters, and wherein each transmitter of the plurality oftransmitters is coupled to a corresponding antenna of the plurality ofantennas.
 6. The apparatus of claim 5, wherein to interrogate the targetdevice with the second plurality of electromagnetic signals, eachtransmitter of the plurality of transmitters is configured to transmit acorresponding electromagnetic signal of the second plurality ofelectromagnetic signals, the second plurality of electromagnetic signalsbeing at a frequency offset from each other and covering a firstpredetermined frequency range.
 7. The apparatus of claim 6, wherein theprocessing circuitry is further to: cause scanning a secondpredetermined frequency range by the receiver, to detect the emissionsfrom the target device.
 8. The apparatus of claim 7, wherein the secondpredetermined frequency range is non-overlapping with the firstpredetermined frequency range.
 9. The apparatus of claim 7, whereinscanning the second predetermined frequency range takes place when thetarget device is in a powered off state.
 10. The apparatus of claim 1,wherein the received emissions from the target device comprise aresonant RF signal generated from reflections of the plurality of mixedRF signals by components of the target device.
 11. The apparatus ofclaim 1, wherein the at least one antenna comprises a plurality of loopantennas, and wherein the plurality of loop antennas, the transmitter,and the receiver are electrically isolated from components of the targetdevice.
 12. The apparatus of claim 1, wherein the target devicecomprises at least one of: a computer system; a communications system;an Internet connected device; an avionics system; a military system; anda business system.
 13. A method comprising: interrogating a targetdevice with a first plurality of electromagnetic signals emitted via atleast one antenna at a first time instance, to generate a referenceevaluation of the target device; interrogating the target device with asecond plurality of electromagnetic signals emitted via the at least oneantenna at a second time instance, to generate a plurality of mixed RFsignals; detecting emissions received from the target device, theemissions generated by the target device based on the plurality of mixedRF signals; performing a comparison of the reference evaluation of thetarget device with the emissions received from the target device todetect physical alteration or tampering of the target device; andgenerating a notification based on the comparison.
 14. The method ofclaim 13, further comprising: performing a second comparison of a firstsignal characteristic associated with the received emissions and asecond signal characteristic associated with the second plurality ofelectromagnetic signals interrogating the target device.
 15. The methodof claim 14, further comprising: performing an evaluation of the targetdevice based on the second comparison; and generating a secondnotification based on the evaluation.
 16. The method of claim 13,wherein interrogating the target device with the second plurality ofelectromagnetic signals comprises: transmitting each electromagneticsignal of the second plurality of electromagnetic signals using acorresponding transmitter of a plurality of transmitters, the secondplurality of electromagnetic signals being at a frequency offset fromeach other and covering a first predetermined frequency range.
 17. Themethod of claim 16, further comprising: scanning a second predeterminedfrequency range to detect the emissions from the target device.
 18. Anon-transitory computer-readable storage medium that stores instructionsfor execution by one or more processors of a tampering detection device,the instructions to configure the one or more processors to cause thetamper detection device to perform operations comprising: interrogatinga target device with a first plurality of electromagnetic signalsemitted via at least one antenna at a first time instance, to generate areference evaluation of the target device; interrogating the targetdevice with a second plurality of electromagnetic signals emitted viathe at least one antenna at a second time instance, to generate aplurality of mixed RF signals; detecting emissions received from thetarget device, the emissions generated by the target device based on theplurality of mixed RF signals; performing a comparison of the referenceevaluation of the target device with the emissions received from thetarget device to detect physical alteration or tampering of the targetdevice; and generating a notification based on the comparison.
 19. Thenon-transitory computer-readable storage medium of claim 18, theoperations further comprising: performing a second comparison of a firstsignal characteristic associated with the received emissions and asecond signal characteristic associated with the second plurality ofelectromagnetic signals interrogating the target device.
 20. Thenon-transitory computer-readable storage medium of claim 19, theoperations further comprising: performing an evaluation of the targetdevice based on the second comparison; and generating a secondnotification based on the evaluation.